How to check SSL version running on the CPM?

book

Article ID: 167932

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How-to-check-SSL-version-running-on-the-CPM

How to check SSL version running on the CPM?

Resolution

From a different machine (with 'curl' installed) or secondary CPM, execute the commands below to determine the SSL version.
(Assume CPM1 IP address:192.168.1.1)
 
SSLv3 check:

admin]# curl --verbose --insecure https://192.168.1.1
* About to connect() to 192.168.1.1 port 443
* Trying 192.168.33.170... connected
* Connected to 192.168.33.170 (192.168.33.170) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):                                                          !sslv3 response successful  from server as SSLlv3 is enabled on the chassis****
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using EDH-DSS-DES-CBC3-SHA
* Server certificate:
* subject: /C=US/ST=MA/L=Boxborough/O=CrossBeam Systems/OU=CrossBeam Systems/CN=CrossBeam Systems
* start date: 2007-02-26 16:46:27 GMT
* expire date: 2027-02-21 16:46:27 GMT
* common name: CrossBeam Systems (does not match '192.168.1.1')
* issuer: /C=US/ST=MA/L=Boxborough/O=CrossBeam Systems/OU=CrossBeam Systems/CN=CrossBeam Systems
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: 192.168.33.170
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< ETag: W/"230-1306866057000"
< Last-Modified: Tue, 31 May 2011 18:20:57 GMT
< Content-Type: text/html
< Content-Length: 230
< Date: Fri, 13 Jul 2012 12:48:59 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Crossbeam</title>
<meta http-equiv="REFRESH" content="0;url=gem">
</head>
<body>
<!--Redirecting to GEM...-->
</body>
</html>
* Connection #0 to host 192.168.1.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

 
 

SSLv2 check:

[[email protected] admin]# curl --verbose --insecure -sslv2 https://192.168.1.1  
* About to connect() to 192.168.33.170 port 443
* Trying 192.168.33.170... connected
* Connected to 192.168.1.1 (192.168.1.1) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher
* Closing connection #0
curl: (35) error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher
<<<<<<sshv2 check fails as sslv2 is not enabled****